[PR #227] [MERGED] fix: resolve CVEs, upgrade to Astro v6, and harden API security #1345

New Issue

Closed

opened 2026-04-21 23:17:24 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-21 23:17:24 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/227
Author: @arunavo4
Created: 3/15/2026
Status: ✅ Merged
Merged: 3/15/2026
Merged by: @arunavo4

Base: main ← Head: security/fix-vulnerabilities-and-upgrade-deps

---

📝 Commits (5)

• cf8c5dd fix: resolve CVEs, upgrade to Astro v6, and harden API security
• a544b29 repositories: migrate table to tanstack
• 7a2a622 Revert "repositories: migrate table to tanstack"
• 806e0a6 Merge branch 'main' into security/fix-vulnerabilities-and-upgrade-deps
• 8f2c75e fixed lock file

📊 Changes

13 files changed (+662 additions, -768 deletions)

View changed files

📝 Dockerfile (+22 -3)
📝 bun.lock (+529 -579)
📝 package.json (+19 -15)
➖ src/content/config.ts (+0 -4)
📝 src/lib/api.ts (+4 -22)
📝 src/lib/config.ts (+17 -2)
📝 src/lib/utils.ts (+3 -1)
📝 src/lib/utils/encryption.ts (+16 -3)
📝 src/pages/api/auth/check-users.ts (+3 -10)
📝 src/pages/api/auth/debug.ts (+17 -54)
📝 src/pages/api/cleanup/auto.ts (+8 -5)
📝 src/pages/api/config/index.ts (+18 -0)
📝 src/pages/api/health.ts (+6 -70)

📄 Description

Summary

• Resolve 27 open Docker Scout CVEs across Go stdlib (git-lfs, esbuild), and npm packages (fast-xml-parser, devalue, node-forge, rollup, svgo)
• Upgrade to Astro v6 (Vite 7, Zod 4) — remove legacy content config, update types
• Harden 6 API endpoints against unauthenticated access, information disclosure, and insecure crypto

Docker Image CVE Fixes

Fix	CVEs Resolved
Install git-lfs v3.7.1 from GitHub releases (Go 1.25) instead of Debian apt	9 Go stdlib CVEs (including CRITICAL CVE-2025-68121)
Strip build-only packages (esbuild, vite, rollup, svgo, tailwindcss) from production image	9 esbuild Go stdlib CVEs + reduces image size
npm overrides: fast-xml-parser ≥5.3.6, devalue ≥5.6.2, node-forge ≥1.3.2, svgo ≥4.0.1, rollup ≥4.59.0	9 npm CVEs (2 CRITICAL, 7 HIGH)

API Security Hardening

Endpoint	Change
/api/auth/debug	Dev-only + require auth + removed POST (created test users!) + stripped sensitive config
/api/auth/check-users	Returns hasUsers: boolean instead of exact user count
/api/cleanup/auto	Now requires authentication
/api/health	Removed OS version, memory usage, uptime (info disclosure)
/api/config	Validates Gitea URL protocol (http/https only)
BETTER_AUTH_SECRET	Logs red security warning when using insecure defaults

Crypto Fixes

• generateRandomString(): replaced Math.random() with crypto.getRandomValues() — this was used to generate OAuth client secrets
• hashValue(): added random salt + verifyHash() with timing-safe comparison

Backward Compatibility

All changes are backward compatible with existing deployments:

• No endpoints had frontend consumers (verified via grep)
• Health endpoint: Docker healthcheck uses --spider (status code only), UI only reads version fields
• BETTER_AUTH_SECRET: warns instead of crashing — existing users keep working
• SSRF: only validates protocol, does not block private IPs (self-hosted Gitea is typically on private networks)

Test plan

• bun run build — passes
• bun test — 163 pass, 0 fail
• Docker build test (docker build -t gitea-mirror:test .)
• Verify health endpoint returns expected shape
• Verify debug endpoint returns 404 in production
• Verify cleanup endpoint returns 401 without auth

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/227 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 3/15/2026 **Status:** ✅ Merged **Merged:** 3/15/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `security/fix-vulnerabilities-and-upgrade-deps` --- ### 📝 Commits (5) - [`cf8c5dd`](https://github.com/RayLabsHQ/gitea-mirror/commit/cf8c5dd8cb915044e33ab07cfc94366b3c78ddf7) fix: resolve CVEs, upgrade to Astro v6, and harden API security - [`a544b29`](https://github.com/RayLabsHQ/gitea-mirror/commit/a544b29e6d875af810223e63d2418d8caab34c36) repositories: migrate table to tanstack - [`7a2a622`](https://github.com/RayLabsHQ/gitea-mirror/commit/7a2a6228288bf7e7c498982dcc92bc8a3cec4bc1) Revert "repositories: migrate table to tanstack" - [`806e0a6`](https://github.com/RayLabsHQ/gitea-mirror/commit/806e0a661bbcda914ce32efbab692655ed59c0e1) Merge branch 'main' into security/fix-vulnerabilities-and-upgrade-deps - [`8f2c75e`](https://github.com/RayLabsHQ/gitea-mirror/commit/8f2c75ed838b1c1a576851aef69a4c20e643c6e9) fixed lock file ### 📊 Changes **13 files changed** (+662 additions, -768 deletions) <details> <summary>View changed files</summary> 📝 `Dockerfile` (+22 -3) 📝 `bun.lock` (+529 -579) 📝 `package.json` (+19 -15) ➖ `src/content/config.ts` (+0 -4) 📝 `src/lib/api.ts` (+4 -22) 📝 `src/lib/config.ts` (+17 -2) 📝 `src/lib/utils.ts` (+3 -1) 📝 `src/lib/utils/encryption.ts` (+16 -3) 📝 `src/pages/api/auth/check-users.ts` (+3 -10) 📝 `src/pages/api/auth/debug.ts` (+17 -54) 📝 `src/pages/api/cleanup/auto.ts` (+8 -5) 📝 `src/pages/api/config/index.ts` (+18 -0) 📝 `src/pages/api/health.ts` (+6 -70) </details> ### 📄 Description ## Summary - **Resolve 27 open Docker Scout CVEs** across Go stdlib (git-lfs, esbuild), and npm packages (fast-xml-parser, devalue, node-forge, rollup, svgo) - **Upgrade to Astro v6** (Vite 7, Zod 4) — remove legacy content config, update types - **Harden 6 API endpoints** against unauthenticated access, information disclosure, and insecure crypto ## Docker Image CVE Fixes | Fix | CVEs Resolved | |-----|---------------| | Install git-lfs v3.7.1 from GitHub releases (Go 1.25) instead of Debian apt | 9 Go stdlib CVEs (including CRITICAL CVE-2025-68121) | | Strip build-only packages (esbuild, vite, rollup, svgo, tailwindcss) from production image | 9 esbuild Go stdlib CVEs + reduces image size | | npm overrides: fast-xml-parser ≥5.3.6, devalue ≥5.6.2, node-forge ≥1.3.2, svgo ≥4.0.1, rollup ≥4.59.0 | 9 npm CVEs (2 CRITICAL, 7 HIGH) | ## API Security Hardening | Endpoint | Change | |----------|--------| | `/api/auth/debug` | Dev-only + require auth + removed POST (created test users!) + stripped sensitive config | | `/api/auth/check-users` | Returns `hasUsers: boolean` instead of exact user count | | `/api/cleanup/auto` | Now requires authentication | | `/api/health` | Removed OS version, memory usage, uptime (info disclosure) | | `/api/config` | Validates Gitea URL protocol (http/https only) | | `BETTER_AUTH_SECRET` | Logs red security warning when using insecure defaults | ## Crypto Fixes - `generateRandomString()`: replaced `Math.random()` with `crypto.getRandomValues()` — this was used to generate **OAuth client secrets** - `hashValue()`: added random salt + `verifyHash()` with timing-safe comparison ## Backward Compatibility All changes are backward compatible with existing deployments: - No endpoints had frontend consumers (verified via grep) - Health endpoint: Docker healthcheck uses `--spider` (status code only), UI only reads version fields - `BETTER_AUTH_SECRET`: warns instead of crashing — existing users keep working - SSRF: only validates protocol, does **not** block private IPs (self-hosted Gitea is typically on private networks) ## Test plan - [x] `bun run build` — passes - [x] `bun test` — 163 pass, 0 fail - [ ] Docker build test (`docker build -t gitea-mirror:test .`) - [ ] Verify health endpoint returns expected shape - [ ] Verify debug endpoint returns 404 in production - [ ] Verify cleanup endpoint returns 401 without auth --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-21 23:17:24 -05:00

GiteaMirror closed this issue 2026-04-21 23:17:25 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/mirror-sync-bugs-262-263-264

v3.15.10

v3.15.9

v3.15.8

v3.15.7

v3.15.6

v3.15.5

v3.15.4

v3.15.3

v3.15.2

v3.15.1

v3.15.0

v3.14.2

v3.14.1

v3.14.0

v3.13.4

v3.13.3

v3.13.2

v3.13.1

v3.13.0

v3.12.5

v3.12.4

v3.12.3

v3.12.2

v3.12.1

v3.12.0

v3.11.0

v3.10.1

v3.10.0

v3.9.6

v3.9.5

v3.9.4

v3.9.3

v3.9.2

v3.9.0

v3.8.11

v3.8.10

v3.8.9

v3.8.8

v3.8.7

v3.8.6

v3.8.5

v3.8.4

v3.8.3

v3.8.2

v3.8.1

v3.8.0

v3-sso

v3.7.2

v3.7.1

v3.7.0

v3.6.0

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.0

v3.3.0

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.18.0

v2.17.0

v2.16.3

v2.16.2

v2.16.1

v2.16.0

v2.15.0

v2.14.0

v2.13.2

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.1.0

v2.0.0

v1.0.0

Labels

Clear labels

bug

documentation

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

question

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#1345